[36879] in Kerberos
ldap backend - krbPrincipalName substring search
daemon@ATHENA.MIT.EDU (Paul B. Henson)
Thu Apr 2 19:37:46 2015
Date: Thu, 2 Apr 2015 16:37:23 -0700
From: "Paul B. Henson" <henson@acm.org>
To: kerberos@mit.edu
Message-ID: <20150402233723.GI4951@bender.unx.csupomona.edu>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I've been happily using the ldap backend via openldap for many years.
Over the past couple of days, I've seen a new message pop up a handful
of times that I've never seen before:
Apr 1 16:45:47 chaos slapd[8670]: <= mdb_substring_candidates:
(krbPrincipalName) not indexed
which basically means something did a substring search on the
krbPrincipalName, and there is no substring index, hence it had to do a
full crawl to find the matches. I've only ever had an equality index on
krbPrincipalName, this is the first time I've ever seen something try to
do a substring search. Given kerberos is the only thing with access to
the ldap server, the search must have come from it. I don't currently
have query logging enabled so I'm not quite sure what it was up to.
Does the ldap backend need a substring index on krbPrincipalName in
addition to the equality index? What kdc or kadmin operation might
result in a substring search?
Thanks...
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
